From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Query: Stateful parameters Explicitly and Implicitly defined, which is it?
Date: Wed, 21 Oct 2009 09:59:14 +0200 [thread overview]
Message-ID: <4ADEBF52.7050602@chello.at> (raw)
In-Reply-To: <4ADE2689.4070707@tssg.org>
netfilter-owner@vger.kernel.org wrote:
> Dear experts,
>
> If a rule has a state of NEW does it implicitly imply ESTABLISHED also?
>
> Looking at examples on the web I see references to both.
>
> For example to permit access to an internal Web server, which of the
> straw-man rules are correct?
>
> Implicit Established Example:
> iptables -a FORWARD -i eth0 --dport 80 -m state --state NEW -j ACCEPT
>
> Explicit Established Example:
> iptables -a FORWARD -i eth0 --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
both are, but both miss: '-p tcp'; and its '-A' not '-a'.
It depends what your other rules in the ruleset do.
if you have some like:
iptables -A FORWARD -m state --ESTABLISHED -j ACCEPT
the first of the 2 rules above will work out, though the second will
also work, just has this redundant state descriptor (which does not
matter all).
To allow http traffic, without other rules:
iptables -A FORWARD -i eth0 -m tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -m tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
>
> Similarly, I see reference to setting TCP flags as a control measure.
> Particularly for port scanning etc. However sticking with the Web
> server example, an internal Web Server should expect a client to
> initiate a connection (SYN flag) but the server itself should not do
> this.
>
> example strawman-rules of the stateless kind:
> iptables -a FORWARD -i eth0 --dport 80 --tcp-flags SYN -j ACCEPT
>
> iptables -a FORWARD -o eth1 --sport 80 --tcp-flags ACK -j ACCEPT
>
> The thing is, what happens after the 3-way handshake? Incoming http
> requests will no longer have a SYN flag set! So is there some implicit
> knowledge that netfilter or other packet filters operate over?
>
Same as before, you need other rules to handle that. Usually I normalize
TCP traffic, even before it hits the rules for the servers, but if i
wouldn't do it globally, I'd rather write the rule like this:
iptables -A FORWARD -i eth0 -m tcp --dport 80 --tcp-flags SYN -m state
--state NEW -j ACCEPT
> regards,
> Will.
>
hope it helps
regards
Mart
next prev parent reply other threads:[~2009-10-21 7:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-20 21:07 Query: Stateful parameters Explicitly and Implicitly defined, which is it? William Fitzgerald
2009-10-21 7:21 ` John Lister
2009-10-21 7:59 ` Mart Frauenlob [this message]
2009-10-21 8:46 ` William Fitzgerald
2009-10-21 9:33 ` Mart Frauenlob
2009-10-21 9:46 ` William Fitzgerald
2009-10-21 10:08 ` Mart Frauenlob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADEBF52.7050602@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.